VDB
DEBIAN-CVE-2026-35536
DEBIAN-CVE-2026-35536
PUBLISHED
CVSS 5.300000190734863 MEDIUM
In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.set_cookie were not checked for crafted characters.
Risk Scores
CVSS 3.1
5.300000190734863
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Debian:11 | python-tornado | 6.1.0-1, 0, 6.1.0-1+deb11u3 |
| Debian:14 | python-tornado | 6.5.4-0.1, 6.5.2-3, 6.5.2-2 |
| Debian:13 | python-tornado | 6.5.5-1, 0, 6.4.2-3 |
| Debian:12 | python-tornado | 6.2.0-3, 0, 6.5.5-1 |
Timeline
- Apr 3, 2026 CVE Published
- Apr 28, 2026 CVE Updated